Improving resistance to differential cryptanalysis and the redesign of LOKI
|
|
- Felicia Barker
- 6 years ago
- Views:
Transcription
1 University of Wollongong Research Online Faculty of Informatics - Papers (Archive) Faculty of Engineering and Information Sciences 1993 Improving resistance to differential cryptanalysis and the redesign of LOKI Lawrence P. Brown Matthew Kwan Joseph Pieprzyk Jennifer Seberry University of Wollongong, jennie@uow.edu.au Publication Details L. P. Brown, M. Kwan, J. Pieprzyk and J. Seberry, Improving resistance to differential cryptanalysis and the redesign of LOKI, Advances in Cryptology - ASIACRYPT'91, (H. Imai, R. L. Rivest and T. Matsumoto, (Eds.)), 739, Lecture Notes in Computer Science, Springer-Verlag, (1993), Research Online is the open access institutional repository for the University of Wollongong. For further information contact the UOW Library: research-pubs@uow.edu.au
2 Improving resistance to differential cryptanalysis and the redesign of LOKI Abstract Differential Cryptanalysis is currently the most powerful tool available for analysing block ciphers, and new block ciphers need to be designed to resist it. It has been suggested that the use of S-boxes based on bent functions, with a fiat XOR profile, would be immune. However our studies of differential cryptanalysis, particularly applied to the LOKI cipher, have shown that this is not the case. In fact, this results in a relatively easily broken scheme. We show that an XOR profile with carefully placed zeroes is required. "We also show that in order to avoid some variant forms of differential cryptanalysis, permutation P needs to be chosen to prevent easy propagation of a constant XOR value back into the same S-box. We redesign the LOKI cipher to form LOKI91, to illustrate these results, as well as to correct the key schedule to remove the formation of equivalent keys. We conclude with an overview of the security of the new cipher. Disciplines Physical Sciences and Mathematics Publication Details L. P. Brown, M. Kwan, J. Pieprzyk and J. Seberry, Improving resistance to differential cryptanalysis and the redesign of LOKI, Advances in Cryptology - ASIACRYPT'91, (H. Imai, R. L. Rivest and T. Matsumoto, (Eds.)), 739, Lecture Notes in Computer Science, Springer-Verlag, (1993), This conference paper is available at Research Online:
3 I If. Improving Resistance to Differential Cryptanalysis and the Redesign of LOKI Lawrence BRO\-VN Matthew K lan Josef PIEPRZYK Jennifer SEBERRY Department of Computer Science, University College, UNS\V, Australian Defence Force Academy, Canberra ACT Australia. Abstract Differential Cryptanalysis is currently the most powerful tool available for analysing block ciphers, and new block ciphers need to be designed to resist it. It has been suggested that the use of S- boxes based on bent functions, with a fiat XOR profile, would be immune. However our studies of differential cryptanalysis, particularly applied to the LOKI cipher, have shown that this is not the case. In fact, this results in a relatively easily broken scheme. We show that an XOR profile with carefully placed zeroes is required. "Ve also' show that in order to avoid some variant forms of differential cryptanalysis, permutation P needs to be chosen to prevent easy propagation of a constant XOR value back into the same S-box. We redesign the LOKI cipher to form LOKI91, to illustrate these results, as well as to correct the key schedule to remove the formation of equivalent keys. We conclude with an overview of the security of the new cipher. 1 Introduction Cryptographic research is currently a very active field, with the need for new encryption algorithms having spurred the design of several new block ciphers [1]. The most powerful tool for analysing such block ciphers currently known is differential cryptanalysis. It has been used to find design deficiencies in many of the new ciphers. Some new design criteria have been
4 37 Output XOR n a b c d e Input f g XOR h rn. 2-1 i j Figure 1: An XOR Profile proposed which are claimed to provide immunity to differential cryptanalysis. These involve the use of S-boxes based on bent functions, selected so the resultant box has a flat XOR profile. In this paper, after presenting a brief introduction to the k~y concepts in differential cryptanalysis, we will show that these new criteria do not provide the immunity claimed, but rather can result in the design of a scheme which may be relatively easily broken. What we believe is required, is an S-box with carefully placed zeroes, which significantly hinder the differential cryptanalysis process. vve continue by documenting our analysis of the LOKI cipher. We report on a previously discovered differential cryptanalysis attack, faster than exhaustive search up to 11 rounds, as well as on a new attack, using an alternate form of analysis, which is faster than exhaustive search up to 14. rounds. vve also briefly note some design deficiencies in the key schedule which resulted in the generation of equivalent keys. This process highlighted some necessary additional design criteria needed to strengthen block ciphers against these attacks. We conclude by describing the redesign of the LOKI cipher, using it to illustrate the application of these additional design principles, and make some comments on what we believe is the security of the new scheme. 2 Differential Cryptanalysis 2.1 Overview Differential Cryptanalysis is a dynamic attack against a cipher, using a very large number of chosen plaintext pairs, which through a statistical analysis of the resulting ciphertext pairs, can be used to determine the key in use. In general, differential cryptanalysis is much faster than exhaustive search for a certain number of rounds in the cipher, however there is a breakeven point where it becomes slower than exhaustive search. The lower the number of rounds this is, the greater the security of the cipher. Differential Crypt-
5 38 np = (t', R') = (x, 0) a'=o b'=x nt = (R', t') = (0, x) Figure 2: A 2-round Iterative Characteristic analysis was first described by Biham and Shamir in [2], and in greater detail in [3]. These described the general technique, and its application to the analysis of the DES and the Generalised DES. Subsequent papers by them have detailed its application to FEAL and N-Hash [4], and to Snefru, Khafre, Redoc-II, LOKI, and Lucifer [5J. In Differential Cryptanalysis, a table showing the distribution of the XOR of input pairs against the XOR of output pairs is used to determine probabilities of a particular observed output pair being the result of some input pair. The general form of such a table is shown in Fig l. To attack a multi-round block cipher, the XOR profile is used to build n round characteristics, which have a given probability of occurring. These char~cteristics specify a particular input XOR, a possible output XOR, the necessary intermediate XOR's, and the probability of this occurring, In their original paper [3], Biham and Shamir describe 1,2,3 and 5 round characteristics which may be used to directly attack versions of DES up to 7 rounds. Knowing a characteristic, it is possible to infer information about the outputs for the next two rounds. To utilise this attack, a number of pairs of inputs, having the nominated input XOR, are tried, until an output XOR results which indicates that the pattern specified in the characteristic has occurred. Since an n round characteristic has a probability of occurrence, Jor most keys we can state on average, how many pairs of inputs need to be trialed before the characteristic is successfully matched. Once a suitable pair, known as a right pair, has been found, information on possible keys which could have been used, is deduced. Once this is done we have two plaintext-ciphertext pairs. We know from the ciphertext, the input to the last round. Knowing the input XOR and output XOR for this round, we can thus restrict the possible key bits used in this round, by considering those outputs with an XOR of zero, providing information on the outputs
6 39 Output XOR n Input XOR 0 a b b b b b b b In. 2-1 b b Figure 3: Flat XOR Profile of some of the S-boxes. By then locating additional right pairs we can eventually either uniquely determine the key, or deduce sufficient bits of it that an exhaustive search of the rest may be done. N round characteristics can be concatenated to form longer characteristics if the output of the first supplies the input to the second, with probabilities multiplied together. A particularly useful characteristic is one whose output is a swapped version of its input, and which hence may be iterated with itself. This may be used to analyse an arbitrary number of rounds of the cipher, with a steadily increasing work factor. A particularly useful for~ is one where a non-zero input XOR to the F function results in a zero output XOR. Such a characteristic is illustrated in Fig 2, and may be denoted as: A. (x, 0) -> (0, x) always (ie Pr=l) B. (0, x) -> (x, 0) with some probability p It may be iterated as A B A B A B A B to 8 rounds for example, with characteristic probability p4. This form of characteristic is then used in the analysis of arbitrary n round forms of a cipher, until the work factor exceeds exhaustive search. These techniques are described in detail in [3]. 2.2 Why Flat XOR profiles Don't Work Given the success of differential cryptanalysis in the analysis of block ciphers, it has become important to develop design criteria to improve the resistance of block ciphers to it, especially with several candidates having performed poorly. Dawson and Tavares [6] have proposed that theselection of S-boxes with equal probabilities for each output XOR given an input XOR (except input 0) would result in a cipher that was immune to differential cryptanalysis (see Fig. 3). However a careful study of Biham and Shamir's attack on the 8 round version of DES [3], confirmed by our own analyses of LOKI, have shown that this is not the case.
7 40 Indeed the selection of such S-boxes results in a cipher which is significantly easier to crypt analyse than normal. This is done by constructing a 2 round iterative characteristic of the form in Fig. 2, with an input XOR that changes bits to one S-box only. 'YVe know we can do this, since the fiat XOR profile implies that an output XOR of 0 for a specified input XOR will occur with Pr(1/2 n ). When iterated over 2k rounds, this will have a probability of Pr(1/2(k-l)n), since you get the last round for free. Consider a 16 round DES style cryptosystem, but with S-boxes having a fiat XOR profile of the form in Fig. 3 with m = 6, n = 4, and k = 8. This may be attacked by a 15-round characteristic, chosen to alter inputs to a single S-box only. This gives a probability to break with a given test pair of Pr(1/2 28 ), implying that about 2 28 pairs need to be tried to break the cipher, far easier than by exhaustive search. 2.3 Significance of Permutation P Although differential cryptanalysis may be done independent of permutation P, knowledge of a particular P may be used to construct some other useful n round characteristics for crypt analysing a particular cipher. The most useful of these take the form of a 2 or 3 round characteristic which generate an output XOR identical to the input XOR, either directly in 2 rounds, or by oscillating between two alternate XOR values over 3 rounds. The 1 round characteristic is sensitive to the form of permutation P. This form of characteristic has been found in the original version of LOKI, as detailed below. It thus indicates that care is needed in the design of not just the S-boxes, but of all elements in function F, in order to reduce susceptibility to differential cryptanalysis. 3 Analysis of LOKI 3.1 Overview LOKI is one of several recently proposed new block ciphers. It was originally detailed by Brown, Pieprzyk and Seberry in [7]. Its overall structure is shown in Fig. 4. We will refer to this version of the cipher as L01(I89 in the remainder of this paper. It is a 16 round Feistel style cipher, with a relatively straightforward key schedule, a non-linear function F = P(S(E(RtBK))), and four identical 12-to-8 bit S-boxes. Permutation P in LOKI has a regular structure which distributes the 8 output bits from each S-box to boxes [ ] in the next round. Its S-box consists of functions, based on exponentiation in a Galois field GF(2 8 ) (see [8]), with the general structure shown in Fig. 4.
8 41 C 5 Sfn(c.1!!) I ) 1b9b1_blbll I lb7b6_blbol ( s. Srnk.l") ( S. Stmc.l) ), ~1l hlob! tol lllpultrom ( s. 5ln(c.o,, Figure 4: LOKI89 Overall Structure and S-box Detail 3.2 Security of LOKI89 Initial testing of the statistical and complexity properties of LOKI89 indicated that its properties were very similar to those exhibited by DES, FEAL8 and Lucifer [9], results that were very encouraging. Initial examination of the XOR profile of the LOKI89 S-box also suggested that it should be more resistant than DES to differential cryptanalysis. LOKI89 was then analysed in detail using differential cryptanalysis. Biham [5] describes an attack, using a 2 round iterative characteristic with Pr(118/2 20 ) ~ Pr( ), with non-zero inputs to 2 S-boxes resulting in the same output. There are four related variants (by rotation) of the form: A. ( , ) -) ( , ) B. ( , ) -) ( , ) alvays Pr(118/2-20) This characteristic is iterated to 8 rounds with Pr( ), allowing up to 10 rounds to be broken faster than by exhaustive key space search. This is a significantly better result than for the DES. The authors have verified this attack. The authors have subsequently found an alternate 3 round iterative characteristic, attacking S-box 3, with an output XOR identical to the input XOR. Since permutation P in LOKIS9 permutes some output bits
9 42 back to the same S-box in the next round, this allows the characteristic to be iterated. It has the form: A. ( , ) -> ( , ) B. ( , ) -> ( , ) C. ( , ) -> ( , ) always Pr(28/4096) Pr(28/4096) Since 28/4096 ::::: if we concatenate these characteristics, we get a 13 round characteristic in the order ABC ABC ABC ABC A with a probability of Pr(2-7 2 *8) ::::: Pr(2- S7 6 ). This may be used to attack a 14 round version of LOKI89, and requires 0(2 59 ) pairs to succeed. This is of the same order as exhaustive search (which is of 0(260), as detailed below), and is thus a more successful attac1..'-than that reported previously. It has been verified by Biham. This still leaves the full 16 round version of LOKI89 secure, but with a reduced margin against that originally believed. Independently, the authors [10], Biham [5], and the members of the RIPE consortium have discovered a weakness in the LOKI89 key schedule. It results in the generation of 15 equivalent keys for any given key, effectively reducing the key-space to 2 60 keys. A complementation property also exists which results in 256 (key, plain, cipher) triples being formed, related by LOK I(P, K) 6 pppppppppppppppp = LOI(J(P 6 pppppppppppppppp, K e mmmmmmmmnnnnnnnn), where p = m6n for arbitrary hex values m, n. This may be used to reduce the complexity of a chosen plaintext attack by an additional factor of 16. These results were found by analysing the key schedule by regarding each S-box input as a linear function of the key and plaintext, and solving to form (key, plaintext) pairs which result in identical S-box input values. This lead to solving the following equations: RD 6 KRD 6 n.roti2(kld) = 0 LD 6 KLD 6 n.roti2(j(rd) = 0 where LD = L' 6 L, RD = R' 6 R, J(LD = J(L' 6 KL, and J(RD = K R' 9 J( R describe the difference between the related (key, plaintext) pairs. This method is detailed by Kwan in [10]. In the light of these results, the authors have devised some additional design guidelines to those originally used in the design of LOKI, and have applied them in the development of a new version, LOKI91. 4 Redesign of LOKI 4.1 Some Additional Design Guidelines To improve the resistance of a cipher to differential cryptanalysis, and to remove problems with the key schedule, the following guidelines were used: (1) (2)
10 43 analyse the key schedule to minimize the generation of equivalent key, or related (key, plaintext) pairs. minimise the probability that a non-zero input XOR results in a zero output XOR, or in an identical output XOR, particularly for inputs that differ in only 1 or 2 S-boxes. ensure the cipher has sufficient rounds so that exhaustive search is the optimal attack (ie have insufficient pairs to do differential cryptanalysis). ensure that there is no way to make all S-~()xes give 0 outputs, to increase the ciphers security when used in hashing modes. These criteria were used when selecting the changes made to the LOKI structure, detailed below. 4.2 Design of LOKI91 LOKI91 is the revised version, developed to address the results detailed above. Changes have been made to two aspects of the LOKI structure. Firstly the key schedule has been amended in several places to significantly reduce the number of weak keys. Secondly the function used in the S boxes has been altered to improve its utility in hashing applications, and to improve its immunity to differential cryptanalysis. In more detail, the four changes made to the original design were: 1. change key schedule to swap halves after every second round 2. change key rotations to alternate between ROTI3 and ROT12 3. remove initial and final XORs of key with plaintext and ciphertext 4. alter the S-box function used in the LOKI S-box (Fig. 4) to Sfn(row, col) = (col + ((row * 17) $ f!is)&ffls?lmodg rouj (3) where + and * refer to arithmetic addition and multiplication, EB is addition modulo 2, and the exponentiation is performed in GF(2 8 ). The generator polynomials used (grow) are as for LOKI89 [7J. The overall structure of LOKI9I that results from these changes is shown in Fig. 5. The key schedule changes remove all but a single bit complementation property, leaving an effective search space of 2 63 keys under a chosenplaintext attack. It reduces key equivalences to a single bit complementation property, similar to that of the DES where LO J( I( P, K) = LO K I( P, K),
11 44 Koyl< Input X.J L II R II 1CI.ll Kll 12 Output Y Figure 5: LOKI91 Overall Structure by reducing the solutions to each of Eq. 1 and Eq. 2 to one, and removing the independence between them by altering the swapping to every two rounds. It also greatly reduces the number of weak and semi-weak keys to those shown in Table 1 (where an * denotes weak keys). The DES also has 16 weak and semi-weak keys. The removal of the initial and final XORs became necessary with the change in the swap locations, since otherwise it would have resulted _ in cancellation of the keys bits at the input to E in some rounds. This change does affect the growth of ciphertext dependence on keys bits (see [ll]), increasing it from 3 to 5 rounds. This still compares favorably with the DES which takes either 5 or 7 rounds, dependent on the type of dependency analysed. This change also greatly assisted in the reduction of the number of equivalent keys. The new Sfn uses arithmetic addition and multiplication, as these are non-linear when used in GF(2 8 ). The addition modulo two of the row with 1116 ensures that an all zero input gives a non-zero output, thus removing the major deficiency of L01<189 when used as a hash function. The result of the addition and multiplication is masked with f /16 to restrict the value to lie with GF(2 8 ), prior to the exponentiation in that field. The new function reduces the probabilities of occurance of n round iterative characteristics,
12 45 Encrypt Key Decrypt Key * OOOOOOOOaaaaaaaa aaaaaaaaoooooooo OOOOOOOOffffffff ffffffffoooooooo aaaaaaaaoooooooo OOOOOOOOaaaaaaaa aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa * aaaaaaaa aaaaaaaa aaaaaaaaffffffff fffffffffaaaaaaaa aaaaaaaa aaaaaaaa * ffffffff ffffffff ffffffffoooooooo OOOOOOOOffffffff ffffffffaaaaaaaa aaaaaaaaffffffff ffffffff ffffffff ffffffffffffffff ffffffffffffffff * Table 1: LOKI91 Weak and semi-weak key pairs useful for differential cryptanalysis, to be as low as possible. With the new function, LOKI91 is theoretically breakable faster than an exhaustive key space search in: up to 10 rounds using a 2 round characteristic with the f(x')- > 0' mapping occuring with Pr(122/ ) up to 12 rounds using a 3 round characteristic with the f(x')- > x' mapping occuring with Pr(16/4096) (used twice) At 16 rounds, cryptanalysis is generally impossible, as insufficient pairs are available to complete the analysis. It would require: 2 80 pairs using the 3 round characterisitic, or 2 92 pairs using the 2 round characteristic compared to a total of 2 63 possible plaintext pairs. 5 Conclusion In this paper, we have shown that a flat XOR profile does not provide immunity to differential cryptanalysis, but in fact leads to a very insecure
13 46 scheme. Instead a carefully chosen XOR profile, with suitably placed 0 entries is required to satisfy the new design guidelines we have identified. We also note an analysis of key schedules, which can be used to determine the number of equivalent keys. \Ve conclude with the application of these results to the design of LOKI91. 6 Acknowledgements Thank you to the members of the crypt group for their support and suggestions. This work has been supported by ARC grant A , ATERB, and Telecom Australia research contract Appendix A - Specification of LOKI91 Encryption The overall structure of LOKI91 is shown in Fig. 5, and is specified as follows. The 64-bit input block X is partitioned into two 32-bit blocks L and R. Similarly, the 64-bit key is partitioned into twu 32-bit blocks J( L and J(R. Lo = L J( Lo = J( L (4) Ro = R KRo = KR The key-dependent computation consists (except for a final interchange of blocks) of 16 rounds (iterations) of a set of operations. Each iteration includes the calculation of the encryption function f. This is a concatenation of a modulo 2 addition and three functions E, S, and P. Function f takes as input the 32-bit right data half R;-l and the 32-bit left key half K Li produced by the key schedule KS (denoted J(i below), and which produces a 32-bit result which is added modulo 2 to the left data half Li-l. The two data halves are then interchanged (except after the last round). Each round may thus be characterised as: Li = R-l R = Li-l EB f(r;-l, J( Li) (5) f(r;-l. J(i) = P(S(E(R-l EB K i») The component functions E, S, and P are described later. The key schedule KS is responsible for deriving the sub-keys Ki, and is defined as follows: the 64-bit key J( is partitioned into two 32-bit halves K L and K R. In each round i, the sub-key Ki is the current left half of the key K [,i-;. On odd numbered rounds (1, 3, 5, etc), this half is then rotated 12 bits to the left. On even numbered rounds (2, 4, 6, etc), this half is then rotated 13 bits to the left, and the key halves are interchanged.
14 Table 2: LOKI Expansion Function E I This may be defined for odd numbered rounds as: K. = KLi- l K Li = ROL(K Li- l, 13) K Ri = K R;-l (6) This may be defined for even numbered rounds as: Ki = K L i- l KLi = KR;-l KR; = ROL(KLi_l,12) (7) Finally after the 16 rounds, the two output block halves Ll6 and R16 are then concatenated together to form the output block Y. This is defined as (note the swap of data halves to undo the final interchange in Eq.5): Decryption The decryption computation is identical to that used for encryption, save that the partial keys used as input to the function! in each round are calculated in reverse order. The rotations are to the right, and an initial pre-rotation of 8 places is needed to form the key pattern. Function f The encryption function! is a concatenation of a modulo 2 addition and three functions E, 5, and P, which takes as input the 32-bit right data half R;-l and the 32-bit left key half KL i, and produces a 32-bit result which is added modulo 2 to the left data half L i - l.!(r;-l, K i ) = K i ))) (9) The modulo 2 addition of the key and data halves ensures that the output of! will be a complex function of both of these values. (8)
15 48 Row gen rouj erouj I Table 3: LOKI S-box Irreducible Polynomials and Exponents The expansion function E takes a 32-bit input and produces a 48-bit output block, composed offour 12-bit blocks which form the inputs to four S-boxes in function j. Function E selects consecutive blocks of twelve bits as inputs to S-boxes S(4), S(3), S(2), and S(I) respectively, as follows: [b 3 b 2 b o b 3I b 30 b 24 ] [b 21 b 26 b 16 ] [b 19 b IS bs] [b l1 b IO bol This is shown in full in Table 2 which specifies the source bit for outputs bits 47 to 0 respectively: The substitution function S provides the confusion component in the LOKI cipher. It takes a 48-bit input and produces a 32-bit output. It is composed of four S-boxes, each of which takes a 12-bit input and produces an 8-bit output, which are concatenated together to form the 32-bit output of S. The 8-bit output from S(4) becomes the most significant byte (bits [ ]), then the outputs from S(3) (bits[ ]), S(2) (bits[ ]), and S(I) (bits [7... 0]). In LOKI91 the four S-boxes are identical. The form of each S-box is shown in Fig 4. The 12-bit input is partitioned into two segments: a 4-bit row value row formed from bits [b l1 b IO b I bo], and an 8-bit column value eol formed from bits [b 9 bs... b 3 b 2 ]. The row value row is used to select one of 16 S-functions SjnroUJ(eol), which then take as input the
16 ~ Table 4: LOKI Permutation P column value col and produce an 8-bit output value. This is defined as: SfnroUl(col) = (col + «row * 17) E!1 ffls)r&fflsyr""'modgroul (10) where genroul is an irreducible polynomial in G F(2 8 ), and eroul is the (constant 31) exponent used in forming Sf n roul( col). The generators and exponents to be used in the 16 S-functions in LOKI91 are specified in Table 3. For ease of implementation in hardware, this function can also be written as: SfnroUl(col) = (col + «row)l(row «4))&f hs)31modgroul (11) The permutation function P provides diffusion of the outputs from the four S-boxes across the inputs of all S-boxes in the next round. It takes the 32-bit concatenated outputs from the S-boxes, and distributes them over all the inputs for the next round via a regular wire crossing which takes bits from the outputs of each S-box in turn, as defined in Table 4 which specifies the source bit for output bits 31 to 0 respectively. Test Data A single test triplet for the LOKI91 primitive is listed below. # Single LOKI91 Certification triplet # data is saved as (key, plaintext, ciphertext) hex tripiets # c260231ge d55e c86caecle3b7b17e
17 50 References [1] J. Seberry and J. Pieprzyk, Cryptography: An Introduction to Computer Security. Englewood Cliffs, NJ, Prentice Hall, [2] E. Biham and A. Shamir, "Differential Cryptanalysis of DES-like Cryptosystems," Journel of Cryptology,' 4, no. 1, 1991, to appear. [3] E. Biham and A. Shamir, "Differential Cryptanalysis of DES-like Cryptosystems," 'YVeizmann Institute of Science, Rehovot, Israel, Technical Report, 19 July [4] E. Biham and A. Shamir, "Differential Cryptanalysis of Feal and N Hash," in Eurocrypt'91 Abstracts, Brighton, UK, 8-11 April [5] E. Biham and A. Shamir, "Differential Cryptanalysis Snefru, Kharfe, REDOC-II, LOKI and Lucifer," in Abstracts Crypto'91, Santa Barbara, Aug [6J M. H. Dawson and S. E. Tavares, "An Expanded Set of S-box Design Criteria Based On Information Theory and Its Relation to Differential Like Attacks," in Eurocrypt'91 Abstracts, Brighton, UK, 8-11 April [7] L. Brown, J. Pieprzyk and J. Seberry, "LOKI - A Cryptographic Primitive for Authentication and Secrecy Applications," in Advances in Cryptology: Auscrypt '90 (Lecture Notes in Computer Science), vol Berlin: Springer Verlag, pp , [8] J. Pieprzyk, "Non-Linearity of Exponent Permutations," in Advances in Cryptology - Eurocrypt'89 (Lecture Notes in Computer Science), vol. 434, J. J. Quisquater and J. Vanderwalle, Eds. Berlin: Springer Verlag, pp , [9] L. Brown, J. Pieprzyk, R. Safavi-Naini and J. Seberry, "A Generalised Testbed for Analysing Block and Stream Ciphers," in Proceedings of the Seventh In tern a tion IFIP TC1l Conference on Information Security, W. Price and D. Lindsey, Eds. North-Holland, May 1991, to appear. [10] M. Kwan and J. Pieprzyk, "A General Purpose Technique for Locating Key Scheduling Weaknesses in DES-style Cryptosystems," in Advances in Cryptology - Asiacrypt '91 (Lecture Notes in Computer Science). Berlin: Springer Verlag, Nov 1991, to appear. [11] L. Brown and J. Seberry, "Key Scheduling in DES Type Cryptosystems," in Advances in Cryptology: Auscrypt '90 (Lecture Notes in Computer Science), vol Berlin: Springer Verlag, pp , 1990.
On the Design of Secure Block Ciphers
On the Design of Secure Block Ciphers Howard M. Heys and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University Kingston, Ontario K7L 3N6 email: tavares@ee.queensu.ca
More informationLOKI - A Cryptographic Primitive for Authentication and Secrecy Applications 1
LOKI - A Cryptographic Primitive for Authentication and Secrecy Applications Lawrence Brown, Josef Pieprzyk, Jennifer Seberry, Centre for Computer Security Research, Department of Computer Science, University
More informationSymmetric Cryptography. Chapter 6
Symmetric Cryptography Chapter 6 Block vs Stream Ciphers Block ciphers process messages into blocks, each of which is then en/decrypted Like a substitution on very big characters 64-bits or more Stream
More informationChapter 3 Block Ciphers and the Data Encryption Standard
Chapter 3 Block Ciphers and the Data Encryption Standard Last Chapter have considered: terminology classical cipher techniques substitution ciphers cryptanalysis using letter frequencies transposition
More informationNetwork Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar
Network Security Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar Modern Block Ciphers now look at modern block ciphers one of the most widely used types
More informationImproved Truncated Differential Attacks on SAFER
Improved Truncated Differential Attacks on SAFER Hongjun Wu * Feng Bao ** Robert H. Deng ** Qin-Zhong Ye * * Department of Electrical Engineering National University of Singapore Singapore 960 ** Information
More informationCryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles
Cryptography and Network Security Chapter 3 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 3 Block Ciphers and the Data Encryption Standard All the afternoon Mungo had been working
More informationDESIGNING S-BOXES FOR CIPHERS RESISTANT TO DIFFERENTIAL CRYPTANALYSIS (Extended Abstract)
DESIGNING S-BOXES FOR CIPHERS RESISTANT TO DIFFERENTIAL CRYPTANALYSIS (Extended Abstract) CARLISLE M. ADAMS Bell-Northern Research, Ltd., P.O. Box 3511 Station C, Ottawa, Ontario, Canada, KI Y 4117 STAFFORD
More informationSymmetric Encryption Algorithms
Symmetric Encryption Algorithms CS-480b Dick Steflik Text Network Security Essentials Wm. Stallings Lecture slides by Lawrie Brown Edited by Dick Steflik Symmetric Cipher Model Plaintext Encryption Algorithm
More informationPractically secure Feistel ciphers
Practically secure Feistel ciphers Lars R. Knudsen /~rhus University, Denmark** Abstract. In this paper we give necessary design principles to be used, when constructing secure Feistel ciphers. We introduce
More informationWeak Keys. References
Weak Keys The strength of the encryption function E K (P) may differ significantly for different keys K. If for some set WK of keys the encryption function is much weaker than for the others this set is
More informationCENG 520 Lecture Note III
CENG 520 Lecture Note III Symmetric Ciphers block ciphers process messages in blocks, each of which is then en/decrypted like a substitution on very big characters 64-bits or more stream ciphers process
More informationICT 6541 Applied Cryptography. Hossen Asiful Mustafa
ICT 6541 Applied Cryptography Hossen Asiful Mustafa Encryption & Decryption Key (K) Plaintext (P) Encrypt (E) Ciphertext (C) C = E K (P) Same Key (K) Ciphertext (C) Decrypt (D) Plaintext (P) P = D K (C)
More informationModern Block Ciphers
Modern Block Ciphers now look at modern block ciphers one of the most widely used types of cryptographic algorithms provide secrecy /authentication services focus on DES (Data Encryption Standard) to illustrate
More informationBlock Ciphers and Data Encryption Standard. CSS Security and Cryptography
Block Ciphers and Data Encryption Standard CSS 322 - Security and Cryptography Contents Block Cipher Principles Feistel Structure for Block Ciphers DES Simplified DES Real DES DES Design Issues CSS 322
More informationCryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái
Cryptography and Network Security Block Ciphers + DES Lectured by Nguyễn Đức Thái Outline Block Cipher Principles Feistel Ciphers The Data Encryption Standard (DES) (Contents can be found in Chapter 3,
More informationSecret Key Algorithms (DES)
Secret Key Algorithms (DES) G. Bertoni L. Breveglieri Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used
More informationComputer and Data Security. Lecture 3 Block cipher and DES
Computer and Data Security Lecture 3 Block cipher and DES Stream Ciphers l Encrypts a digital data stream one bit or one byte at a time l One time pad is example; but practical limitations l Typical approach
More informationSecret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34
Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used for both encryption and decryption.
More informationInternational Journal for Research in Applied Science & Engineering Technology (IJRASET) Performance Comparison of Cryptanalysis Techniques over DES
Performance Comparison of Cryptanalysis Techniques over DES Anupam Kumar 1, Aman Kumar 2, Sahil Jain 3, P Kiranmai 4 1,2,3,4 Dept. of Computer Science, MAIT, GGSIP University, Delhi, INDIA Abstract--The
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics
More informationNetwork Security Essentials Chapter 2
Network Security Essentials Chapter 2 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Encryption What is encryption? Why do we need it? No, seriously, let's discuss this. Why do we need
More informationRelated-key Attacks on Triple-DES and DESX Variants
Related-key Attacks on Triple-DES and DESX Variants Raphael C.-W. han Department of Engineering, Swinburne Sarawak Institute of Technology, 1st Floor, State Complex, 93576 Kuching, Malaysia rphan@swinburne.edu.my
More informationSelf evaluation of FEAL-NX
Self evaluation of FEAL-NX 1 Evaluation of security 1.1. Differential cryptanalysis In extending differential cryptanalysis, Aoki, Kobayashi, and Moriai [1] greatly reduced the computational amount needed
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationLinear Cryptanalysis of Reduced Round Serpent
Linear Cryptanalysis of Reduced Round Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion Israel Institute of Technology, Haifa 32000, Israel, {biham,orrd}@cs.technion.ac.il,
More informationDifferential Cryptanalysis
Differential Cryptanalysis See: Biham and Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. c Eli Biham - March, 28 th, 2012 1 Differential Cryptanalysis The Data
More informationBlock Encryption and DES
Block Encryption and DES Plain Text Block 1 Block 2 Block 3 Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available
More informationJournal of Discrete Mathematical Sciences & Cryptography Vol. ( ), No., pp. 1 10
Randomizing encryption mode Yi-Shiung Yeh 1, I-Te Chen 1, Chan-Chi Wang 2, 1 Department of Computer Science and Information Engineering National Chiao-Tung University 1001 Ta Hsueh Road Hsinchu 30050 Taiwan
More informationAttack on DES. Jing Li
Attack on DES Jing Li Major cryptanalytic attacks against DES 1976: For a very small class of weak keys, DES can be broken with complexity 1 1977: Exhaustive search will become possible within 20 years,
More informationSecret Key Cryptography
Secret Key Cryptography 1 Block Cipher Scheme Encrypt Plaintext block of length N Decrypt Secret key Cipher block of length N 2 Generic Block Encryption Convert a plaintext block into an encrypted block:
More informationL3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015
L3. An Introduction to Block Ciphers Rocky K. C. Chang, 29 January 2015 Outline Product and iterated ciphers A simple substitution-permutation network DES and AES Modes of operations Cipher block chaining
More informationSymmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.
Symmetric Key Algorithms Definition A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting. 1 Block cipher and stream cipher There are two main families
More informationDifferential Cryptanalysis of Madryga
Differential Cryptanalysis of Madryga Ken Shirriff Address: Sun Microsystems Labs, 2550 Garcia Ave., MS UMTV29-112, Mountain View, CA 94043. Ken.Shirriff@eng.sun.com Abstract: The Madryga encryption algorithm
More informationNew Attacks on Feistel Structures with Improved Memory Complexities
New Attacks on Feistel Structures with Improved Memory Complexities Itai Dinur 1, Orr Dunkelman 2,4,, Nathan Keller 3,4,, and Adi Shamir 4 1 Département d Informatique, École Normale Supérieure, Paris,
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More informationComputer Security 3/23/18
s s encrypt a block of plaintext at a time and produce ciphertext Computer Security 08. Cryptography Part II Paul Krzyzanowski DES & AES are two popular block ciphers DES: 64 bit blocks AES: 128 bit blocks
More informationThe Security of Elastic Block Ciphers Against Key-Recovery Attacks
The Security of Elastic Block Ciphers Against Key-Recovery Attacks Debra L. Cook 1, Moti Yung 2, Angelos D. Keromytis 2 1 Alcatel-Lucent Bell Labs, New Providence, New Jersey, USA dcook@alcatel-lucent.com
More informationPerformance enhancement of Blowfish and CAST-128 algorithms and Security analysis of improved Blowfish algorithm using Avalanche effect
244 Performance enhancement of Blowfish and CAST-128 algorithms and Security analysis of improved Blowfish algorithm using Avalanche effect Krishnamurthy G.N, Dr. V. Ramaswamy, Leela G.H and Ashalatha
More informationCrypto Basics. Recent block cipher: AES Public Key Cryptography Public key exchange: Diffie-Hellmann Homework suggestion
Crypto Basics Recent block cipher: AES Public Key Cryptography Public key exchange: Diffie-Hellmann Homework suggestion 1 What is a cryptosystem? K = {0,1} l P = {0,1} m C = {0,1} n, C C E: P K C D: C
More information6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 6 Block Ciphers 6.1 Block Ciphers Block Ciphers Plaintext is divided into blocks of fixed length and every block is encrypted one at a time. A block cipher is a
More informationData Encryption Standard (DES)
Data Encryption Standard (DES) Best-known symmetric cryptography method: DES 1973: Call for a public cryptographic algorithm standard for commercial purposes by the National Bureau of Standards Goals:
More informationA Related Key Attack on the Feistel Type Block Ciphers
International Journal of Network Security, Vol.8, No.3, PP.221 226, May 2009 221 A Related Key Attack on the Feistel Type Block Ciphers Ali Bagherzandi 1,2, Mahmoud Salmasizadeh 2, and Javad Mohajeri 2
More informationCryptographic Algorithms - AES
Areas for Discussion Cryptographic Algorithms - AES CNPA - Network Security Joseph Spring Department of Computer Science Advanced Encryption Standard 1 Motivation Contenders Finalists AES Design Feistel
More informationThe Rectangle Attack
The Rectangle Attack and Other Techniques for Cryptanalysis of Block Ciphers Orr Dunkelman Computer Science Dept. Technion joint work with Eli Biham and Nathan Keller Topics Block Ciphers Cryptanalysis
More informationVortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less Multiplication
Vortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less ultiplication Shay Gueron 2, 3, 4 and ichael E. Kounavis 1 1 Corresponding author, Corporate Technology Group, Intel Corporation,
More informationDierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel
Dierential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel fbiham,orrdg@cs.technion.ac.il 2 Mathematics Department,
More informationA Chosen-Plaintext Linear Attack on DES
A Chosen-Plaintext Linear Attack on DES Lars R. Knudsen and John Erik Mathiassen Department of Informatics, University of Bergen, N-5020 Bergen, Norway {lars.knudsen,johnm}@ii.uib.no Abstract. In this
More informationKey Separation in Twofish
Twofish Technical Report #7 Key Separation in Twofish John Kelsey April 7, 2000 Abstract In [Mur00], Murphy raises questions about key separation in Twofish. We discuss this property of the Twofish key
More informationStrict Key Avalanche Criterion
Strict Key Avalanche Criterion E Dawson, H Gustafson and A N Pettitt School of Mathematics and Information Security Research Centre Queensland University of Technology GPO Box 2434 Brisbane Qld 4001 Abstract.
More informationDesigning a New Lightweight Image Encryption and Decryption to Strengthen Security
2016 IJSRSET Volume 2 Issue 2 Print ISSN : 2395-1990 Online ISSN : 2394-4099 Themed Section: Engineering and Technology Designing a New Lightweight Image Encryption and Decryption to Strengthen Security
More informationOn the Security of the 128-Bit Block Cipher DEAL
On the Security of the 128-Bit Block Cipher DAL Stefan Lucks Theoretische Informatik University of Mannheim, 68131 Mannheim A5, Germany lucks@th.informatik.uni-mannheim.de Abstract. DAL is a DS-based block
More informationA SIMPLIFIED IDEA ALGORITHM
A SIMPLIFIED IDEA ALGORITHM NICK HOFFMAN Abstract. In this paper, a simplified version of the International Data Encryption Algorithm (IDEA) is described. This simplified version, like simplified versions
More informationContent of this part
UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 5 More About Block Ciphers Israel Koren ECE597/697 Koren Part.5.1 Content of this
More informationCSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms
CSCI 454/554 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms Outline Introductory Remarks Feistel Cipher DES AES 2 Introduction Secret Keys or Secret Algorithms? Security by
More informationin a 4 4 matrix of bytes. Every round except for the last consists of 4 transformations: 1. ByteSubstitution - a single non-linear transformation is a
Cryptanalysis of Reduced Variants of Rijndael Eli Biham Λ Nathan Keller y Abstract Rijndael was submitted to the AES selection process, and was later selected as one of the five finalists from which one
More informationAIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 3.1 Secret Key Cryptography Algorithms Instructor: Dr. Kun Sun Outline Introductory Remarks Feistel Cipher DES AES 2 Introduction Secret Keys or Secret Algorithms?
More informationTechnion - Computer Science Department - Technical Report CS
How to Forge DES-Encrypted Messages in 2 28 Steps Eli Biham 1 Abstract In this paper we suggest key-collision attacks, and show that the theoretic strength of a cipher cannot exceed the square root of
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Secret Key Cryptography Block cipher DES 3DES
More informationBreaking Grain-128 with Dynamic Cube Attacks
Breaking Grain-128 with Dynamic Cube Attacks Itai Dinur and Adi Shamir Computer Science department The Weizmann Institute Rehovot 76100, Israel Abstract. We present a new variant of cube attacks called
More informationIntegral Cryptanalysis of the BSPN Block Cipher
Integral Cryptanalysis of the BSPN Block Cipher Howard Heys Department of Electrical and Computer Engineering Memorial University hheys@mun.ca Abstract In this paper, we investigate the application of
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 6: Advanced Encryption Standard (AES) Ion Petre Department of IT, Åbo Akademi University 1 Origin of AES 1999: NIST
More informationThe MESH Block Ciphers
The MESH Block Ciphers Jorge Nakahara Jr, Vincent Rijmen, Bart Preneel, Joos Vandewalle Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Belgium {jorge.nakahara,bart.preneel,joos.vandewalle}@esat.kuleuven.ac.be
More informationA New Technique for Sub-Key Generation in Block Ciphers
World Applied Sciences Journal 19 (11): 1630-1639, 2012 ISSN 1818-4952 IDOSI Publications, 2012 DOI: 10.5829/idosi.wasj.2012.19.11.1871 A New Technique for Sub-Key Generation in Block Ciphers Jamal N.
More informationElastic Block Ciphers: The Feistel Cipher Case
Elastic Block Ciphers: The Feistel Cipher Case Debra L. Cook Moti Yung Angelos D. Keromytis Department of Computer Science Columbia University, New York, NY dcook,moti,angelos @cs.columbia.edu Technical
More informationPRNGs & DES. Luke Anderson. 16 th March University Of Sydney.
PRNGs & DES Luke Anderson luke@lukeanderson.com.au 16 th March 2018 University Of Sydney Overview 1. Pseudo Random Number Generators 1.1 Sources of Entropy 1.2 Desirable PRNG Properties 1.3 Real PRNGs
More informationCS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES
CS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES PREPARED BY R.CYNTHIA PRIYADHARSHINI AP/IT/SREC Block Ciphers A block cipher is an encryption/decryption scheme in which a block of plaintext is treated
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message
More informationPiret and Quisquater s DFA on AES Revisited
Piret and Quisquater s DFA on AES Revisited Christophe Giraud 1 and Adrian Thillard 1,2 1 Oberthur Technologies, 4, allée du doyen Georges Brus, 33 600 Pessac, France. c.giraud@oberthur.com 2 Université
More informationSecret Key Cryptography (Spring 2004)
Secret Key Cryptography (Spring 2004) Instructor: Adi Shamir Teaching assistant: Eran Tromer 1 Background Lecture notes: DES Until early 1970 s: little cryptographic research in industry and academcy.
More informationDifferential Attack on Message Authentication Codes
Differential Attack on Message Authentication Codes Kazuo Ohtal and Mitsuru Matsui2 NTT Network Information Systems Laboratories Nippon Telegraph and Telephone Corporation 1-2356, Take, Yokosuka-shi, Kanagawa-ken,
More informationBlock Ciphers and Stream Ciphers. Block Ciphers. Stream Ciphers. Block Ciphers
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2... M N. Then, each block M i is encrypted to the ciphertext block C i = K (M i ), and
More informationTechnological foundation
Technological foundation Carte à puce et Java Card 2010-2011 Jean-Louis Lanet Jean-louis.lanet@unilim.fr Cryptology Authentication Secure upload Agenda Cryptology Cryptography / Cryptanalysis, Smart Cards
More informationP2_L6 Symmetric Encryption Page 1
P2_L6 Symmetric Encryption Page 1 Reference: Computer Security by Stallings and Brown, Chapter 20 Symmetric encryption algorithms are typically block ciphers that take thick size input. In this lesson,
More informationA New Meet-in-the-Middle Attack on the IDEA Block Cipher
A New Meet-in-the-Middle Attack on the IDEA Block Cipher Hüseyin Demirci 1, Ali Aydın Selçuk, and Erkan Türe 3 1 Tübitak UEKAE, 41470 Gebze, Kocaeli, Turkey huseyind@uekae.tubitak.gov.tr Department of
More informationA Brief Outlook at Block Ciphers
A Brief Outlook at Block Ciphers Pascal Junod École Polytechnique Fédérale de Lausanne, Suisse CSA 03, Rabat, Maroc, 10-09-2003 Content Generic Concepts DES / AES Cryptanalysis of Block Ciphers Provable
More informationLecture 3: Symmetric Key Encryption
Lecture 3: Symmetric Key Encryption CS996: Modern Cryptography Spring 2007 Nitesh Saxena Outline Symmetric Key Encryption Continued Discussion of Potential Project Topics Project proposal due 02/22/07
More informationCSCE 813 Internet Security Symmetric Cryptography
CSCE 813 Internet Security Symmetric Cryptography Professor Lisa Luo Fall 2017 Previous Class Essential Internet Security Requirements Confidentiality Integrity Authenticity Availability Accountability
More informationA Weight Based Attack on the CIKS-1 Block Cipher
A Weight Based Attack on the CIKS-1 Block Cipher Brian J. Kidney, Howard M. Heys, Theodore S. Norvell Electrical and Computer Engineering Memorial University of Newfoundland {bkidney, howard, theo}@engr.mun.ca
More informationDesign of an Efficient Architecture for Advanced Encryption Standard Algorithm Using Systolic Structures
Design of an Efficient Architecture for Advanced Encryption Standard Algorithm Using Systolic Structures 1 Suresh Sharma, 2 T S B Sudarshan 1 Student, Computer Science & Engineering, IIT, Khragpur 2 Assistant
More informationCryptography Functions
Cryptography Functions Lecture 3 1/29/2013 References: Chapter 2-3 Network Security: Private Communication in a Public World, Kaufman, Perlman, Speciner Types of Cryptographic Functions Secret (Symmetric)
More informationSecret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General Considerations:
Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General Considerations: Secret Key Systems Encrypting a small block of text (say 64 bits) General Considerations: 1. Encrypted
More informationFundamentals of Cryptography
Fundamentals of Cryptography Topics in Quantum-Safe Cryptography June 23, 2016 Part III Data Encryption Standard The Feistel network design m m 0 m 1 f k 1 1 m m 1 2 f k 2 2 DES uses a Feistel network
More informationModern Symmetric Block cipher
Modern Symmetric Block cipher 81 Shannon's Guide to Good Ciphers Amount of secrecy should determine amount of labour appropriate for encryption and decryption The set of keys and enciphering algorithm
More informationLecture 4: Symmetric Key Encryption
Lecture 4: Symmetric ey Encryption CS6903: Modern Cryptography Spring 2009 Nitesh Saxena Let s use the board, please take notes 2/20/2009 Lecture 1 - Introduction 2 Data Encryption Standard Encrypts by
More informationSymmetric Cryptography CS461/ECE422
Symmetric Cryptography CS461/ECE422 1 Outline Overview of Cryptosystem design Commercial Symmetric systems DES AES Modes of block and stream ciphers 2 Reading Section 2.4-2.6 and 12.2 in Security in Computing
More informationSOLUTIONS FOR HOMEWORK # 1 ANSWERS TO QUESTIONS
SOLUTIONS OR HOMEWORK # 1 ANSWERS TO QUESTIONS 2.4 A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. A block cipher is one in which a block of plaintext is treated
More informationAN INTEGRATED BLOCK AND STREAM CIPHER APPROACH FOR KEY ENHANCEMENT
AN INTEGRATED BLOCK AND STREAM CIPHER APPROACH FOR KEY ENHANCEMENT 1 MANIKANDAN.G, 2 MANIKANDAN.R, 3 RAJENDIRAN.P, 4 KRISHNAN.G, 5 SUNDARGANESH.G 1 Assistant Professor, School of Computing, SASTRA University,
More informationGoals for Today. Substitution Permutation Ciphers. Substitution Permutation stages. Encryption Details 8/24/2010
Encryption Details COMP620 Goals for Today Understand how some of the most common encryption algorithms operate Learn about some new potential encryption systems Substitution Permutation Ciphers A Substitution
More informationPublic Key Cryptography
graphy CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 29 December 2011 CSS322Y11S2L07, Steve/Courses/2011/S2/CSS322/Lectures/rsa.tex,
More informationIntroduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption
Introduction to Cryptography and Security Mechanisms: Unit 5 Public-Key Encryption Learning Outcomes Explain the basic principles behind public-key cryptography Recognise the fundamental problems that
More informationAnalysis of MARS. January 12, 2001
Analysis of MARS January 12, 2001 Executive Summary This report presents the results of a limited evaluation of the block cipher MARS. No important weaknesses or flaws were found on MARS. The round function
More informationImproved Integral Attacks on MISTY1
Improved Integral Attacks on MISTY1 Xiaorui Sun and Xuejia Lai Department of Computer Science Shanghai Jiao Tong University Shanghai, 200240, China sunsirius@sjtu.edu.cn, lai-xj@cs.sjtu.edu.cn Abstract.
More informationDFA on AES. Christophe Giraud. Oberthur Card Systems, 25, rue Auguste Blanche, Puteaux, France.
DFA on AES Christophe Giraud Oberthur Card Systems, 25, rue Auguste Blanche, 92800 Puteaux, France. c.giraud@oberthurcs.com Abstract. In this paper we describe two different DFA attacks on the AES. The
More informationThe signal to noise ratio in the differential cryptanalysis of 9 rounds of data encryption standard
The signal to noise ratio in the differential cryptanalysis of 9 rounds of data encryption standard Regular paper Michał Misztal Abstract There is presented the differential cryptanalysis method of attack
More informationChosen Ciphertext Attack on SSS
Chosen Ciphertext Attack on SSS Joan Daemen 1, Joseph Lano 2, and Bart Preneel 2 1 STMicroelectronics Belgium joan.daemen@st.com 2 Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC {joseph.lano,bart.preneel}@esat.kuleuven.ac.be
More informationOutline Basics of Data Encryption CS 239 Computer Security January 24, 2005
Outline Basics of Data Encryption CS 239 Computer Security January 24, 2005 What is data encryption? Basic encryption mechanisms Stream and block ciphers Characteristics of good ciphers Page 1 Page 2 Data
More informationChapter 9. Public Key Cryptography, RSA And Key Management
Chapter 9 Public Key Cryptography, RSA And Key Management RSA by Rivest, Shamir & Adleman of MIT in 1977 The most widely used public-key cryptosystem is RSA. The difficulty of attacking RSA is based on
More informationHill Cipher with Parallel Processing Involving Column, Row Shuffling, Permutation and Iteration on Plaintext and Key
International Journal of Computer Networks and Security, ISSN:25-6878, Vol.23, Issue.2 7 Hill Cipher with Parallel Processing Involving Column, Row Shuffling, Permutation and Iteration on Plaintext and
More informationCSc 466/566. Computer Security. 6 : Cryptography Symmetric Key
1/56 CSc 466/566 Computer Security 6 : Cryptography Symmetric Key Version: 2012/02/22 16:14:16 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian Collberg
More information